I come across your blog post: https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx
You haven't mentioned how to check if user enters password history n-2, is there any possibilities to identity this?

You want to tell when a user "enters password history n-2". If you mean checking when a user attempts to authenticate with either the n-1 or n-2 password, the only way would be to check if the badPwdCount attribute of the user incremented. It would be best to target the PDC Eumlator for the query. If badPwdCount did not increment, then the password used must have been either n-1 or n-2. The query must be done before lockoutObservationWindow expires after the bad password attempt. The following dsquery command could be used:
dsquery * -Server MyPDC.mydomain.com -Filter "(sAMAccountName=MyUserName)" -Attr sAMAccountName badPwdCount
This would be run right before the authenication attempt, unless you know the count is 0, then right after the attempt to see if the count incremented. A similar PowerShell query would be:
Get-ADUser -Server MyPDC.mydomain.com -Filter {sAMAccountName -eq "MyUserName"} -Properties badPwdCount | Select sAMAccountName, badPwdCount
There is no way to check what is in password history directly.

There is no need to specify the domain controllers in this script. The script itself retrieves a list of all DC's in the domain, then queries each for values that are not replicated among DC's. The code demonstrates how to retrieve the list of domain controllers. You can use the code for this in other scripts.